Search using IF statement

tech_soul · ‎10-01-2019

Hi All,

Could you please help me with " if "query to search a condition is true then need to display some values from json format .
please i m brand new to splunk ..

gcusello · ‎10-01-2019

Hi tech_soul,
without othe information is difficoult to help you! could you share more information?

Anyway, you can use the if condition in an eval command to set a variable to use for searches, for additioan information see https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/ConditionalFunctions .

E.g. if I want to set a value OK if a field has a value less than 100 and NOK if the value is more than 100, you could create a search like this:

index=my_index
| eval my_check=if(my_field>100,"NOK","OK")
| table _time my_check

Then you can use this value for additional conditions as search or where.

Bye.
Giuseppe

LizAndy123 · ‎01-16-2025

I have a question

I Did this on an event and basically did the If command - that if above 15 mins then Output is BAD and if under 15 the. output is GOOD - This works.

My question is I now want to search only the BAD and alert - so guess how do I start another search after I have run eval and got my BAD output?

richgalloway · ‎01-16-2025

FWIW, it's usually better to ask a new question than to pile on to a 4-year-old thread.

To keep only the BAD events, try one of these

index=my_index
| eval my_check=if(my_field>100,"NOK","OK")
| where my_check="NOK"
| table _time my_check

or

index=my_index
| where my_field>100
| table _time my_field

---
If this reply helps you, Karma would be appreciated.

yshen · ‎10-12-2020

Thanks for the concise example of if expression.

Search using IF statement

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...